BYOD forces users’ personal information on help desk
Help desk staffers can be caught in the middle when BYOD users get verrrry personal with their devices.
As the recent scandal over leaked celebrity photographs reminded us all, people use their electronic devices for very personal pursuits in the era of smartphone ubiquity. Depending on the age and inclination of its owner, a modern-day digital device might contain not just nude selfies like those that were shared online, but images from dating sites like Tinder and Grindr, creepshots, or other salacious or even illegal material downloaded from the backwaters of “the dark Web” via anonymizers like Tor.
As blogger Kashmir Hill summed up as the selfie scandal was unfolding, “Phones have become sex toys.”
If that’s true, then those toys are making their way into the workplace in record numbers, thanks to the ever-increasing number of organizations adopting bring-your-own-device (BYOD) policies.
In a perfect world, none of this should concern help desk employees — with a well-executed mobile management program in place that incorporates containerization, a technician ought to be able to assist employees with corporate apps and data without encountering so much as a pixel of not-safe-for-work (NSFW) material.
But the world isn’t always perfect, as IT support staffers know perhaps more than most. Which means they can find themselves looking not just at enterprise applications but at private images and texts they’d really rather not see. Or politely pointing out to an employee who’s synced all her devices to the cloud that pictures from her honeymoon are currently being displayed on the conference room’s smartboard. Or repeatedly removing viruses picked up by the same users visiting the same porn sites.
The scope of the problem
In a survey published last year by software vendor ThreatTrack Security, 40% of tech support employees said they’d been called in to remove malware from the computer or other device of a senior executive, specifically malware that came from infected porn sites. Thirty-three percent said they had to remove malware caused by a malicious app the executive installed. Computerworld checked with several security experts, none of whom was particularly surprised by that statistic.
The ThreatTrack survey didn’t tease out how much of this was on BYODs. But in a February 2014 survey by consulting firm ITIC and security training company KnowBe4, 34% of survey participants said they either “have no way of knowing” or “do not require” end users to inform them when there is a security issue with employee-owned hardware. Some 50% of organizations surveyed acknowledged that their corporate and employee-owned BYOD and mobile devices could have been hacked without their knowledge in the last 12 months. “BYOD has become a big potential black hole for a lot of companies,” says Laura DiDio, ITIC principal analyst.
One big concern: As McAfee Labs warns in its 2014 Threat Predictions report, “Attacks on mobile devices will also target enterprise infrastructure. These attacks will be enabled by the now ubiquitous bring-your-own-device phenomenon coupled with the relative immaturity of mobile security technology. Users who unwittingly download malware will in turn introduce malware inside the corporate perimeter that is designed to exfiltrate confidential data.”
Today’s malware from porn sites is usually not the kind of spyware that’s dangerous to enterprises, says Carlos Castillo, mobile and malware researcher at McAfee Labs — but that could change. “Perhaps in the future, because of the great adoption of BYOD and people using their devices on corporate networks, malware authors could . . . try to target corporate information,” he says.
In fact, a proof-of-concept application was recently leaked that is designed to target corporate data from secure email clients, Castillo says. The software used an exploit to obtain root privileges on the device to steal emails from a popular corporate email client, alongside other spyware exploits like stealing SMS messages. “While we still have not seen malware from porn sites that is dangerous to enterprises,” Castillo says, “this leaked application could motivate malware authors to use the same techniques using malicious applications potentially being distributed via these [porn] sites.”
Beyond security, there could be legal liabilities in play as well, some analysts caution. For example, a corporation might be liable if an IT staffer saw evidence of child porn on a phone.
To be sure, porn sites cause only a small fraction of the problems that users introduce into the enterprise. According to Chester Wisniewski, senior security advisor at Sophos, some 82% of infected sites are not suspicious places like porn sites, but rather sites that appear benign. And for smartphones, the biggest malware danger is from unsanctioned apps, not NSFW sites, he says.
Roy Atkinson, a senior analyst at HDI, a professional association and certification body for the technical service and support industry, sees no evidence of a widespread problem. When he specifically asked a couple of IT professionals who are responsible for mobile management in their organization, “they told me either ‘we don’t see it’ or ‘we make believe we don’t see it,'” says Atkinson. “People don’t really want to think about this or talk about it much.”
Escalate or let it go?
Whatever the frequency, when and if NSFW issues do arise, the IT department often winds up functioning as a “first responder” that has to decide whether to escalate the incident or let it go. “If somebody complains about [a co-worker] displaying pictures on their smartphone at a meeting . . . then the company’s acceptable use policy will come into play,” says Atkinson. Or if IT employees find malware that came from a porn site and could endanger the network, they may say something — to the employee or to a manager. “But as we know, policies are enforced somewhat arbitrarily,” Atkinson says.
Barry Thompson, network services manager at ENE Systems, a $37-million energy management and HVAC controls company in Canton, Mass., says he has seen problems increase because of what he calls “bring your own connection.” People assume “that it’s their personal phone so they can do as they like,” he says. But they are using the office Wi-Fi network, which Thompson monitors. He can see every graphic that passes through the network. “If I notice pictures of naked people, I can click on it and find out who’s looking at that,” he says. When that happens, Thompson usually gives a warning on first offense. If it happens again, he brings in the employee’s supervisor.
It’s like the Wild West out there if it’s the employee’s own device. — Dipto Chakravarty, ThreatTrack Security
“It’s like the Wild West out there if it’s the employee’s own device,” says Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack Security. Companies have a hard time enforcing their policies on BYOD devices, because it is, after all, the employee’s device.
Often, the “old boy network” kicks in. The user “is petrified that IT will see all these bad sites that the user has visited,” says Chakravarty. Employees admit they made a mistake and ask IT to please ignore the material. “IT doesn’t really want to see the dirty laundry, so they say, ‘Hey, no problem. I’ll just wipe it clean and you’re good to go,'” he says. “That’s the norm.”
The tendency to “cover for your buddies — guys have been doing that for time immemorial,” says Robert Weiss, senior vice president of clinical development with Elements Behavioral Health and a sex addiction expert. But there are social and ethical concerns for both the employee and for IT, says Weiss, co-author of the 2014 book, Closer Together, Further Apart: The Effect of Digital Technology on Parenting, Work and Relationships.
What happens, asks Weiss, when IT sees photos of naked children on someone’s phone, which could be child porn, or repeatedly removes malware from porn sites from the same user’s device, which could indicate an addiction? IT staffers are typically not well equipped to address criminal or addictive behaviors.
Weiss thinks there should be clear policies that indicate when IT needs to report such information to human resources, similar to policies about repeated drinking or signs of other addictions, and let HR take it from there. “The IT person should not be involved,” he says. “I would not want to put the IT person in the position of having to talk about sex with an employee that they don’t particularly know well.”
I would not want to put the IT person in the position of having to talk about sex with an employee that they don’t know well. — Robert Weiss, Elements Behavioral Health
At least one technical analyst, who has worked in IT support at a range of companies, thinks reporting such users to HR is taking it too far. Flagging child pornography is one thing, he says, but addiction? “I’m not going to HR about BYOD riddled with porn. It’s their device. As much as I love helping people, their personal porn habits, even at an addiction level, are not my problem. Unless it’s criminal, I don’t care.”
Protecting IT from users
The ideal fix is to create a corporate container to hold all business applications, including corporate email and Internet browsing.
And the best way to achieve that goal is with the emerging class of enterprise mobility management (EMM) technology, says Eric Ahlm, a research director at Gartner. “When properly configured, EMM solutions create a corporate container that provides OS-level security and isolates apps and data in the container from what’s outside,” explains Ahlm. The corporate container can encompass email applications, Web browsers, customer mobile applications and off-the-shelf mobile applications. Within that container, IT can create isolated data-sharing and -protection policies, or easily deploy more mobile apps, or remove them — all without touching the personal information outside of the container, he explains. “It makes all those issues go away.”
On the personnel management side of the equation, companies should be sure to update their acceptable use policies to include BYOD. ENE’s Thompson found that his company’s acceptable use policy did not mention personally owned devices. So last year, says Thompson, ENE amended the policy to specify that “any use of corporate resources or systems, regardless of ownership of the devices, obligates the user to comply with the corporate acceptable use policy.”